New Skimer malware on the market again, infected ATMs in 10 countries already

A malware initially discovered back in 2009 has resurfaced again according to researchers. The malware was called Skimer is believed to be affecting Automated Teller Machines now. The 2016 version of the Skimer malware has been heavily modified, and hackers can access card data such as PIN numbers and also get access to the cash that is available on the machine.

Malicious actors are using the Thermida packer to help with disguising the Skimer malware and install it on various ATMs. The Skimer malware then checks to see if the ATM is carrying FAT32 or the NTFS file system. If it’s FAT32, Skimer then places a netmgr.dll file in the C:\Windows\System32 folder. If the ATM has the NTFS file system, the malware then places the netmgr.dll folder on the executable file of the NTFS data stream. This makes finding the malware even more difficult.

The Skimer malware is different in its work and differs from other skimming malware such as Tyupkin. Tyupkin becomes active after a specific time of infection and is activated by a magic code, but Skimer actually lies dormant for so long and only becomes active when a magic card is inserted into the ATM. The magic card is the gateway for the malware to the ATM and then some options are then inserted via the pin pad.

The user then requests the ATM to perform various tasks which include showing installation details of the ATM, dispensation of money from the machine, harvesting and collection of data from all inserted cards which could be catastrophic for unsuspecting ATM users. Other functions that the hacker gains include printing of all collected card details, a self-delete option, a debug mode and an option to actually to update the malware which is in the machine.

Kaspersky researchers who were responsible for the discovery gave out about 49 modifications of the Skimer malware and showed that 37 of them were targeting one manufacturer of most ATMs. The ability of the malware to interact with ATMs can be accredited to the first Skimer malware of 2009.

Another company, VirusTotal did an analysis on the new Skimer data and discovered that ATMs in 10 different countries were affected already. The ten countries are UAE, France, USA, Russia, Macao, China, Philippines, Spain, Germany, Georgia, Poland, Brazil and the Czech Republic.

Kaspersky researchers said that banks had to look out for magic cards which would show up on their logs and would help them in identifying the affected ATMs. Full disk encryption and isolating ATM networks from bank networks were also some of the techniques advised.